Update Helm release cert-manager to v1.9.0 - autoclosed

This MR contains the following updates:

Package	Update	Change
cert-manager	minor	v1.8.2 -> v1.9.0

---

Release Notes

cert-manager/cert-manager

v1.9.0

Compare Source

Changes since v1.8.2

Changes by Kind

Feature

• Added support for pulling both AWS access key IDs and secret keys from Kubernetes secrets (#​5194, @​Compy)
• Adds make clean-all for starting a fresh development environment and make which-go for getting go version information when developing cert-manager (#​5118, @​SgtCoDFish)
• Adds make upload-release target for publishing cert-manager releases to GCS, simplifying the cert-manager release process simpler and making it easier to change (#​5205, @​SgtCoDFish)
• Adds a new alpha Prometheus summary vector metric certmanager_http_venafi_client_request_duration_seconds which allows tracking the latency of Venafi API calls. The metric is labelled by the type of API call. Example PromQL query: certmanager_http_venafi_client_request_duration_seconds{api_call="request_certificate"} will show the average latency of calls to the Venafi certificate request endpoint (#​5053, @​irbekrm)
• Adds more verbose logging info for certificate renewal in the DynamicSource webhook to include DNSNames (#​5142, @​AcidLeroy)
• Adds new LICENSES format and ability to verify and update licenses through make (#​5243, @​SgtCoDFish)
• Adds private key Ingress annotations to set private key properties for Certificate (#​5239, @​oGi4i)
• Adds the cert-manager.io/revision-history-limit annotation for Ingress resources, to limit the number of CertificateRequests which are kept for a Certificate (#​5221, @​oGi4i)
• Adds the literalSubject field for Certificate resources. This is an alpha feature, enabled by passing the flag --feature-gates=LiteralCertificateSubject=true to the cert-manager controller and webhook. literalSubject allows fine-grained control of the subject a certificate should have when issued and is intended for power-users with specific use cases in mind (#​5002, @​spockz)
• Change default build dir from bin to _bin, which plays better with certain tools which might treat bin as just another source directory (#​5130, @​SgtCoDFish)
• Helm: Adds a new namespace parameter which allows users to override the namespace in which resources will be created. This also allows users to set the namespace of the chart when using cert-manager as a sub chart. (#​5141, @​andrewgkew)
• Helm: Allow for users to not auto-mount service account tokens see also k/k#​57601 (#​5016, @​sveba)
• Use multiple retries when provisioning tools using curl, to reduce flakes in tests and development environments (#​5272, @​SgtCoDFish)

Bug or Regression

• CertificateRequests controllers must wait for the core secrets informer to be synced (#​5224, @​rodrigorfk)
• Ensure that make release-artifacts only builds unsigned artifacts as intended (#​5181, @​SgtCoDFish)
• Ensure the startupapicheck is only scheduled on Linux nodes in the helm chart (#​5136, @​craigminihan)
• Fixed a bug where the Venafi Issuer would not verify its access token (TPP) or API key (Cloud) before becoming ready. Venafi Issuers now remotely verify the access token or API key (#​5212, @​jahrlin)
• Fixed release artifact archives generated by Make so that a leading ./ is stripped from paths. This ensures that behaviour is the same as v1.7 and earlier (#​5050, @​jahrlin)
• Increase timeouts for issuer and clusterissuer controllers to 2 minutes and increase ACME client HTTP timeouts to 90 seconds, in order to enable the use of slower ACME issuers which take a long time to process certain requests. (#​5226, @​SgtCoDFish)
• Increases Venafi Issuer timeout for retrieving a certificate increased to 60 seconds, up from 10. This gives TPP instances longer to complete their workflows and make the certificate available before cert-manager times out and re-queues the request. (#​5247, @​hawksight)
• Remove pkg/util/coverage which broke compatibility with go 1.18; thanks @​davidsbond for finding the issue! (#​5032, @​SgtCoDFish)
• cmctl and kubectl cert-manager now report their actual versions instead of "canary", fixing issue #​5020 (#​5286, @​jetstack-bot)

Other (Cleanup or Flake)

• Adds make update-all as a convenience target to run before raising a MR (#​5251, @​SgtCoDFish)
• Adds make targets for updating and verifying CRDs and codegen (#​5242, @​SgtCoDFish)
• Bump cert-manager's version of Go to 1.18 (#​5152, @​lucacome)
• Bumps distroless base images to their latest versions (#​5222, @​irbekrm)
• CertificateSigningRequest: no longer mark a request as failed when using the SelfSigned issuer, and the Secret referenced in experimental.cert-manager.io/private-key-secret-name doesn't exist. (#​5332, @​jetstack-bot)
• Only require python for the one test we have which needs it, rather than requiring it globally (#​5245, @​SgtCoDFish)
• Remove deprecated field securityContext.enabled from helm chart (#​4721, @​Dean-Coakley)
• Removes support for networking/v1beta Ingresses in ingress-shim. (#​5250, @​irbekrm)
• Reverts additional check for ServiceMonitor (#​5202, @​irbekrm)
• Updates Kubernetes libraries to v0.24.2. (#​5097, @​lucacome)
• Updates warning message that is thrown if issuance fails because private key does not match spec, but private key regeneration is disabled. See https://github.com/cert-manager/cert-manager/pull/5199. (#​5199, @​irbekrm)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever MR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

---

• If you want to rebase/retry this MR, click this checkbox.

---

This MR has been generated by Renovate Bot.